mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc1ac2e255a706a3434dfac972b6823c4503954b
metacrypt/internal/config/config.go
Kyle Isom cc1ac2e255 Separate web UI into standalone metacrypt-web binary 
The vault server holds in-memory unsealed state (KEK, engine keys) that
is lost on restart, requiring a full unseal ceremony. Previously the web
UI ran inside the vault process, so any UI change forced a restart and
re-unseal.

This change extracts the web UI into a separate metacrypt-web binary
that communicates with the vault over an authenticated gRPC connection.
The web server carries no sealed state and can be restarted freely.

- gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/
- internal/grpcserver/: full gRPC server implementation (System, Auth,
  Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors
- internal/webserver/: web server with gRPC vault client; templates
  embedded via web/embed.go (no runtime web/ directory needed)
- cmd/metacrypt-web/: standalone binary entry point
- internal/config: added [web] section (listen_addr, vault_grpc, etc.)
- internal/server/routes.go: removed all web UI routes and handlers
- cmd/metacrypt/server.go: starts gRPC server alongside HTTP server
- Deploy: Dockerfile builds both binaries, docker-compose adds
  metacrypt-web service, new metacrypt-web.service systemd unit,
  Makefile gains proto/metacrypt-web targets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 10:15:47 -07:00

123 lines
3.4 KiB
Go
Raw Blame History

// Package config provides TOML configuration loading and validation.
package config
import (
"fmt"
"os"
"github.com/pelletier/go-toml/v2"
)
// Config is the top-level configuration for Metacrypt.
type Config struct {
Server ServerConfig `toml:"server"`
Web WebConfig `toml:"web"`
Database DatabaseConfig `toml:"database"`
MCIAS MCIASConfig `toml:"mcias"`
Seal SealConfig `toml:"seal"`
Log LogConfig `toml:"log"`
}
// ServerConfig holds HTTP/gRPC server settings.
type ServerConfig struct {
ListenAddr string `toml:"listen_addr"`
GRPCAddr string `toml:"grpc_addr"`
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
ExternalURL string `toml:"external_url"` // public base URL for ACME directory, e.g. "https://metacrypt.example.com"
}
// WebConfig holds settings for the standalone web UI server (metacrypt-web).
type WebConfig struct {
// ListenAddr is the address the web server listens on (default: 127.0.0.1:8080).
ListenAddr string `toml:"listen_addr"`
// VaultGRPC is the gRPC address of the vault server (e.g. "127.0.0.1:9443").
VaultGRPC string `toml:"vault_grpc"`
// VaultCACert is the path to the CA certificate used to verify the vault's TLS cert.
VaultCACert string `toml:"vault_ca_cert"`
// TLSCert and TLSKey are optional. If empty, the web server uses plain HTTP
// (suitable for deployment behind a TLS-terminating reverse proxy).
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
}
// DatabaseConfig holds SQLite database settings.
type DatabaseConfig struct {
Path string `toml:"path"`
}
// MCIASConfig holds MCIAS integration settings.
type MCIASConfig struct {
ServerURL string `toml:"server_url"`
CACert string `toml:"ca_cert"`
}
// SealConfig holds Argon2id parameters for the seal process.
type SealConfig struct {
Argon2Time uint32 `toml:"argon2_time"`
Argon2Memory uint32 `toml:"argon2_memory"`
Argon2Threads uint8 `toml:"argon2_threads"`
}
// LogConfig holds logging settings.
type LogConfig struct {
Level string `toml:"level"`
}
// Load reads and parses a TOML config file.
func Load(path string) (*Config, error) {
data, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("config: read file: %w", err)
}
var cfg Config
if err := toml.Unmarshal(data, &cfg); err != nil {
return nil, fmt.Errorf("config: parse: %w", err)
}
if err := cfg.Validate(); err != nil {
return nil, err
}
return &cfg, nil
}
// Validate checks required fields and applies defaults.
func (c *Config) Validate() error {
if c.Server.ListenAddr == "" {
return fmt.Errorf("config: server.listen_addr is required")
}
if c.Server.TLSCert == "" {
return fmt.Errorf("config: server.tls_cert is required")
}
if c.Server.TLSKey == "" {
return fmt.Errorf("config: server.tls_key is required")
}
if c.Database.Path == "" {
return fmt.Errorf("config: database.path is required")
}
if c.MCIAS.ServerURL == "" {
return fmt.Errorf("config: mcias.server_url is required")
}
// Apply defaults for seal parameters.
if c.Seal.Argon2Time == 0 {
c.Seal.Argon2Time = 3
}
if c.Seal.Argon2Memory == 0 {
c.Seal.Argon2Memory = 128 * 1024
}
if c.Seal.Argon2Threads == 0 {
c.Seal.Argon2Threads = 4
}
if c.Log.Level == "" {
c.Log.Level = "info"
}
// Apply defaults for web server.
if c.Web.ListenAddr == "" {
c.Web.ListenAddr = "127.0.0.1:8080"
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink